#external interface EXT = "bge0" #internal LAN interface LAN = "bge1" #IPv4 address of LAN interface LANip4 = "192.168.1.1" #IPv6 address of LAN interface LANip6 = "2001:db8:1:1::1" #IPv4 address of external interface EXTip4 = "192.168.2.1 #IPv6 address of external interface EXTip6 = "2001:db8:1:2::1" #IPv4 prefix on LAN interface LANnet4 = "192.168.1.0/24" #IPv6 prefix on LAN interface LANnet6 = "2001:db8:1:1::1/64" #loopback interfaces Lo4 = "127.0.0.1" Lo6 = "::1" #internal server address LANSRV6="2001:db8:1:2::2" LANSRV4="192.168.1.2" # expire state connections early set optimization aggressive block in log all # allow DNS requests to go out pass out on $EXT inet proto udp from {$EXTip4, $Lo4, $LANnet4} to any port=domain keep state pass out on $EXT inet6 proto udp from {$EXTip6, $Lo6, $LANnet6} to any port=domain keep state # all TCP request allowed out pass out on $EXT inet proto tcp from {EXTip4, $Lo4, $LANnet4} to any keep state pass out on $EXT inet6 proto tcp from {EXTip6, $Lo6, $LANnet6} to any keep state # all ping request allowed out pass out on $EXT inet proto icmp all icmp-type 8 code 0 keep state pass out on $EXT inet6 proto icmp6 all icmp6-type echoreq keep state # ND solicitation out pass out on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} # ND advertisement in pass in on $EXT inet6 proto icmp6 all icmp6-type {neighbradv, neighbrsol} #router advertisement out pass out on $LAN inet6 proto icmp6 all icmp6-type routersadv # router solicitation in pass in on $LAN inet6 proto icmp6 all icmp6-type routerrsol # DNS request inside pass in on $LAN inet proto from $LANnet4 to any port domain pass in on $LAN inet6 proto from $LANnet6 to any port domain # TCP request inside pass in on $LAN inet proto tcp from $LANnet4 to any pass in on $LAN inet6 proto tcp from $LANnet6 to any # ICMP request inside pass in on $LAN inet proto icmp all icmp-type 8 code pass in on $LAN inet6 proto icmp6 all icmp6-type #allow incoming connection to SSH server pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=22 keep-state pass in on $EXT inet proto tcp from any to $LANSRV4 port=22 keep-state #all reply from SSH server (does not really necessary) pass in on $LAN inet6 proto tcp from $LANSRV6 port=22 to any keep-state pass in on $LAN inet proto tcp from $LANSRV4 port=22 to any keep-state #allow incoming connection to WWW server pass in on $EXT inet6 proto tcp from any to $LANSRV6 port=www keep-state pass in on $EXT inet proto tcp from any to $LANSRV4 port=www keep-state #all reply from WWW server (does not really necessary) pass in on $LAN inet6 proto tcp from $LANSRV6 port=www to any keep-state pass in on $LAN inet proto tcp from $LANSRV4 port=www to any